httpauth-firebase/CHANGELOG.md

Changelog

All notable changes to this module will be documented in this file.

The format is based on Keep a Changelog, and this module adheres to Semantic Versioning.

1.0.0 - 2026-05-08

Changed

• Package renamed from httpauth to httpauthfirebase — follows ecosystem convention (repo name = package name, hyphens removed); import path is unchanged (code.nochebuena.dev/go/httpauth-firebase); remove any alias previously used to disambiguate from code.nochebuena.dev/go/httpauth
• EnrichmentMiddleware, AuthzMiddleware, IdentityEnricher, PermissionProvider, WithTenantHeader, and EnrichOpt removed; they now live in code.nochebuena.dev/go/httpauth (provider-agnostic middleware layer)
• AuthMiddleware updated to call httpauth.SetTokenData — fulfills the integration contract between provider-specific auth and generic middleware
• Dependency code.nochebuena.dev/go/httpauth bumped to v1.0.0
• Dependency code.nochebuena.dev/go/rbac bumped to v1.0.0 (indirect)

0.9.0 - 2026-03-18

Added

• TokenVerifier interface — abstracts *auth.Client for unit-test mockability; *auth.Client satisfies it directly in production via its VerifyIDTokenAndCheckRevoked method
• IdentityEnricher interface — application-implemented; receives uid string and claims map[string]any, returns rbac.Identity; called by EnrichmentMiddleware on every request
• PermissionProvider interface — application-implemented; receives uid and resource string, returns rbac.PermissionMask; called by AuthzMiddleware on every request
• EnrichOpt functional option type for configuring EnrichmentMiddleware
• WithTenantHeader(header string) EnrichOpt — reads a tenant ID from the named request header and attaches it to the identity via rbac.Identity.WithTenant; absent header leaves TenantID as an empty string with no error
• AuthMiddleware(verifier TokenVerifier, publicPaths []string) func(http.Handler) http.Handler — verifies Authorization: Bearer <token> via Firebase JWT verification and injects the verified uid and raw claims into the request context under unexported typed keys; paths matching any pattern in publicPaths bypass token verification (glob patterns via path.Match, * wildcard supported); returns 401 on missing or invalid tokens
• EnrichmentMiddleware(enricher IdentityEnricher, opts ...EnrichOpt) func(http.Handler) http.Handler — reads the uid and claims stored by AuthMiddleware, calls enricher.Enrich, and stores the resulting rbac.Identity in context via rbac.SetInContext; returns 401 if AuthMiddleware has not run upstream; returns 500 if the enricher fails
• AuthzMiddleware(provider PermissionProvider, resource string, required rbac.Permission) func(http.Handler) http.Handler — reads rbac.Identity from context via rbac.FromContext, resolves the permission mask for the identity's UID on resource, and gates the request against the required permission bit; returns 401 if no identity is in context; returns 403 if the permission check fails or the provider returns an error

Design Notes

• The three middleware functions are intentionally separate so they can be applied at different scopes: AuthMiddleware at the root router, EnrichmentMiddleware on authenticated route groups, and AuthzMiddleware per-route or per-group with different resource and permission arguments
• The module is named httpauth-firebase rather than httpauth because it imports the Firebase SDK directly; other providers (httpauth-auth0, httpauth-jwt, etc.) are separate sibling modules that all converge on the same rbac.Identity output contract, which means downstream handlers and business logic never depend on a specific auth provider
• No logger parameter is accepted; errors are returned as plain-text HTTP responses, keeping the dependency surface to rbac and firebase.google.com/go/v4 only